I'm trying to retrieve this log event using the Splunk C# SDK v2.1.1.0
<Event timestamp="2015-01-06T17:44:54.284679+00:00" loglevel="Info" process="Advent.Arms" source="QueryManager" logger="QueryManager" message="UpdateMethodSchedule" appraisalcalcmode="A" perfcalcmode="A" calcperformancetypecode="G" BatchTime="2015-01-06T17:44:53.3365908+00:00" FirmGuid="xxxxxxxx-xxxx-xxxx-xxxxxxxxxx" />
Here is the query
index="myindex" sourcetype="arms" earliest=-7d (message="UpdateMethodSchedule" OR message=UpdateMethodSchedule OR message=UpdateMethodSchedule) [ search earliest=-7d index="myindex" sourcetype="arms" (message="UpdateMethodSchedule" OR message="UpdateMethodSchedule" OR message="UpdateMethodSchedule") | stats latest(BatchTime) as BatchTime ]
When I retrieve the result many of the fields are missing from the SearchResult.FieldsNames property. When I try to retrieve the missing field values using SearchResult.GetValue() the value is null.
The missing fields are extracted properly when running the same search from Splunk web search. Also, I see the missing fields when looking at the event raw view (SearchResult.SegmentedRaw.Value).
What am I doing wrong so I cannot access these fields?
I see another post regarding missing fields but this seems like a different issue since my missing fields are in the event itself. Also, I can see these fields using the earchResult.SegmentedRaw.Value property.
I'm not sure why but adding " | fields *" to the end of my query made all of the missing fields appear.
I'm not sure why but adding " | fields *" to the end of my query made all of the missing fields appear.